Proximity-based security for implanted medical devices

ABSTRACT

A proximity-based security mechanism can control access to the programming interface of an implanted medical device. The security mechanism prevents unauthorized remote access to the programming interface by hackers or other hostile individuals, securing the safety of the subject. The system also allows the subject or other responsible person to activate the programming interface when changes to the operation of the implanted medical device are needed. In one example, a security interface is operable to detect, while implanted in the subject, an activation signal produced in close proximity to the subject, and activate the programming interface in response to the activation signal so that the implantable medical device can receive the programming instructions. A proximity-based security mechanism can be a dedicated device, or can be implemented in a programmable computing device such as a smartphone or other mobile computing device.

TECHNICAL FIELD

This disclosure generally relates to providing programming-interfacesecurity for implanted medical devices. More specifically, thisdisclosure relates to security mechanisms that operate at least partlybased on physical proximity.

BACKGROUND

As increasing numbers of people receive implanted medical devices, thethreat of hackers or others intentionally or accidently connecting tothose devices wirelessly also increases. Access security for theprogramming interfaces for these medical devices can be challenging.Generally, the devices use an indirect programming interface to avoidinsulting protective skin. The indirect interface may be subject toattacks and unauthorized reprogramming. The risk may be increased forhigh-profile individuals such as political figures and wealthyindividuals. Regretfully, bad actors may hurt others simply because theycan or for some other agenda. A medical device may also be susceptibleto accidental reprogramming, for example, in environments where multipleindividuals with implanted medical devices may be present. Preventingunauthorized access to programmable medical devices, while allowingaccess quickly and efficiently for emergency personnel to adjust deviceparameters if needed is challenging.

SUMMARY

In one example, a system includes an implantable medical deviceincluding a programming interface to receive programming instructions invivo in a subject to control operations of the implantable medicaldevice, and a security interface coupled to the implantable medicaldevice in vivo to prevent access to the programming interface except inresponse to receiving a coded activation signal produced ex vivo inproximity to the subject to allow the programming interface to receivethe programming instructions.

In another example, a method includes detecting, at or near a medicaldevice implanted in a subject, a coded activation signal produced inclose proximity to the subject, activating a programming interface forthe medical device in response to the coded activation signal, andreceiving programming instructions over the programming interface whilethe programming interface is activated.

In another example, a non-transitory computer-readable medium includesinstructions that are executable by a computing device for causing thecomputing device to perform operations for activating a programminginterface of a medical device implanted in a subject. The operationsinclude receiving input from a user directed to authenticating access tothe programming interface of the medical device, and transmitting anauthentication signal comprising at least one of an acoustic signal oran optical signal configured to activate the programing interface whenthe computing device is in close proximity to the subject.

BRIEF DESCRIPTION OF THE FIGURES

These and other features, aspects, and advantages of the presentdisclosure are better understood when the following Detailed Descriptionis read with reference to the accompanying drawings.

FIG. 1 is a block diagram depicting a system for proximity-basedsecurity for an implantable medical device according to some aspects.

FIG. 2 is a block diagram depicting a system for proximity-basedsecurity for an implantable medical device according to additionalaspects.

FIG. 3 is a block diagram depicting a system for proximity-basedsecurity for an implantable medical device according to further aspects.

FIG. 4 is a block diagram depicting a computing device for implementinga proximity-based security mechanism for an implantable medical deviceaccording to some aspects.

FIG. 5 is a flowchart illustrating a process for providingproximity-based security for an implantable medical device according tosome aspects.

FIG. 6 is a flowchart showing the operation of a computing deviceimplementing a proximity-based security mechanism for an implantablemedical device according to some aspects.

DETAILED DESCRIPTION

Certain aspects of this disclosure relate to controlling the access tothe programming interface of an implantable medical device. Unauthorizedremote access to the programming interface by hackers or otherindividuals can be prevented. Certain aspects can also allow the subjector an approved person to activate the programming interface to programthe implanted medical device.

In one example, a controlled security mechanism can control access tothe programming interface receiver of the implantable medical device.The controlled security mechanism can prevent access to the implanteddevice by devices other than those in proximity to the subject. If thecontrolled security mechanism is present, the receiver of the medicaldevice can be activated, and reprogramming or reconfiguration can beperformed. To provide additional security against inadvertentenvironmental activation, in certain aspects, a coded activation signalthat is unlikely to be naturally occurring can be used. The term“subject” as used herein is intended to represent not only a humanpatient into which a medical device has been planted, but also an animalas implantable medical devices can be used in veterinary practice oranimal management. The term “user” is intended to refer to anyone who islegitimately interacting with or enabling an interface of an implantedmedical device, including, but not limited to, a patient, medical careprovider, or first responder.

As an example, a security mechanism can be a battery-operated hand-helddevice that can be placed near a patient with an implanted medicaldevice. Programming instructions, commands, changes to settings, etc.cannot be provided to the implanted medical device unless the hand-helddevice is present close to the patient. By designing the hand-helddevice to require immediate proximity to the implanted medical device,and therefore to the patient in order to enable programming access tothe implanted medical device, unauthorized remote reprogramming of theimplanted medical device is prevented. As a more detailed example, theimplanted medical device can include a magnetic switch that closes inthe presence of a moderately strong, coded magnetic field applied to theskin directly over the magnetic switch. The magnetic field is generatedby the battery-operated, hand-held device. Because magnetic fieldsdecrease with the square of distance, the odds of nefarious activationfrom more than a few feet away from the patient are small, even if anunauthorized individual were to come into possession of the appropriatehand-held device. In another more detailed example, an opticallytriggered switch is used in the implanted medical device. By using abattery-operated, hand-held security device that generates wavelengthsof light that are transmitted easily through skin, the opticallytriggered switch can be activated for a period of time sufficient forthe authorized person with the hand-held device to provide programmingor setting updates to the implanted medical device. A coding scheme canprevent inadvertent switch activation from random light sources. Anacoustically triggered switch can also be used in the implanted medicaldevice, with the battery-operated, hand-held device generating soundpatterns.

The hand-held security device, as an example, can be a special-purposedevice with an appropriate signaling transducer and a processing devicein the form of a microcontroller or digital signal processor. Thehand-held security device, as another example, can be a general-purposecomputing device such as a smartphone, personal computer, or tabletcomputer. In such a case, the proximity-based security mechanism isimplemented by an application (an “app”), which can be installed on thegeneral-purpose computing device.

Detailed descriptions of certain examples are discussed below. Theseillustrative examples are given to introduce the reader to the generalsubject matter discussed here and are not intended to limit the scope ofthe disclosed concepts. The following sections describe variousadditional aspects and examples with reference to the drawings in whichlike numerals indicate like elements, and directional descriptions areused to describe the illustrative examples but, like the illustrativeexamples, should not be used to limit the present disclosure.

FIG. 1 depicts an example of a system 100 for providing proximity-basedsecurity for an implantable medical device 102 according to someaspects. The implantable medical device 102 can receive programminginstructions through programming interface 104. Implantable medicaldevice 102 can be implanted in a subject having flesh boundary 106 suchthat the left-hand side of the flesh boundary 106 is in vivo to thesubject and the right-hand side of the flesh boundary 106 is ex vivo tothe subject. System 100 also includes an interface switch 108 to controlaccess to implantable medical device 102 by enabling and disablingprogramming interface 104. In some aspects, interface switch 108 enablesor disables programming interface 104 by interrupting the programminginterface's connection to a first transducer 110. A security interface112 can be communicatively coupled to implantable medical device 102through the interface switch 108. Security interface 112 can detectactivation signal 114 that can be received through flesh boundary 106from a proximity-based security mechanism 116 that can generate anactivation signal in close proximity to the subject. Security interface112 can receive activation signal 114 using second transducer 118. Ifthe appropriate activation signal is received, security interface 112can close interface switch 108 to allow programming instructions to bereceived by the programming interface 104. In some aspects, theinstructions are carried by signal 120 that is communicated bycommunication interface device 122. Communication interface device 122can provide programming instructions for medical device functionscarried by signal 120. Signal 120 is received using transducer 110. Asused herein, the phrase “programming instructions” can include, but isnot limited to, program code in the traditional sense, such as may betransmitted to the implantable medical device to provide a software orfirmware update. The term “programming instructions” can also include orrefer to one or more operational setting values for the implantablemedical device that are input by a user such as a physician usingcommunication interface device 122.

In some aspects, activation signal 114 of FIG. 1 is a magnetic fieldsensed by transducer 118 so that interface switch 108 acts as a magneticswitch for implantable medical device 102. The magnetic switch can closein the presence of a moderately strong magnetic field applied to theskin directly over transducer 118. In such a case, proximity-basedsecurity mechanism 116 produces the magnetic field. Because magneticfields decrease in intensity with the square of distance, the odds ofnefarious activation from more than a few feet from the subject aresmall. Further, if the subject were to inadvertently be in the presenceof a strong magnetic field, the magnetic field wouldn't necessarily harmthe programming mechanism, but would simply open the switch to allowprogramming to occur. Additional security can be obtained by using acoded magnetic field instead of a static magnetic field. Such coding canbe imparted, as an example, by applying pulsing in a predeterminedpattern to create a pulsed magnetic field. The magnetic field caninclude a predetermined pattern or a pulse frequency that isspecifically assigned to the implantable medical device.

In another aspect, interface switch 108 of FIG. 1 acts as an opticallytriggered switch, where activation signal 114 is an optical signal. Byusing wavelengths of light that are transmitted easily through skin andan on-off coding scheme, interface switch 108 can be activated for aperiod of time sufficient to perform the configuration or softwaredownload. The coding scheme prevents inadvertent switch activation fromrandom light sources. A measure of light intensity can also be used toensure activation only occurs if the proximity-based security mechanism,which includes the light source, is essentially in direct contact withthe skin. For even greater security, the coding scheme can be specificto the specific implantable medical device and thus to the subject,meaning any user trying to use coded light to activate interface switch108 would need to know a secure code.

In another aspect, interface switch 108 of FIG. 1 acts as anacoustically operated switch where activation signal 114 is an acousticsignal and a coded tone or set of tones is presented by an ultrasound oraudible generator that is included in proximity-based security mechanism116. Again, frequency and pulse coding can eliminate random activationfrom background audio and the coding scheme can be specific to thespecific implantable medical device and thus to the subject, meaning anyuser trying to use audio tones to activate interface switch 108 wouldneed to know a secure code. The code can be applied based on carrierfrequency or pulse frequency in the case of pulse modulation, either afrequency or a set of frequencies being specifically assigned to animplantable medical device.

In the system of FIG. 1, interface switch 108 and security interface 112in some aspects can each be implemented in hardware, software, firmware,or some combination of the foregoing. The functions of some or all ofthe implantable medical device 102, interface switch 108, and securityinterface 112, and of one or both transducers 110 and 118, can becombined into a single physical device. But, in some aspects, at leastthe function of the security interface 112 and the programming interface104 are isolated so that the proximity-based security mechanism 116enables two-factor authentication within system 100. Proximity-basedsecurity mechanism 116 serves as the “second” authentication factorbecause security credentials are also required to initiate the receptionof instructions through programming interface 104 from communicationinterface device 122. The security credentials can include anauthentication key or password known only to the implantable medicaldevice, an authorized medical system, and authorized users.

System 100 of FIG. 1 is illustrated schematically, meaning that thevarious components can be arranged in various ways and the communicationinterface device 122 may be further from the subject thanproximity-based security mechanism 116. In some aspects, communicationinterface device 122 enables remote programming from a server connectedthrough a cloud network or the Internet. In such a case, only theproximity-based security mechanism 116 is necessarily in close proximityto the subject with implantable medical device 102. The phrase “closeproximity” is intended to describe distances within those expected in atypically sized room that might be used for medical treatment. Suchdistances, as an example, might be anywhere from essentially zerometers, when the proximity-based security mechanism is in contact ornear contact with the skin, to several meters. As further examples, theproximity-based security mechanism may operate within one meter orwithin two meters of the subject. In order to maintain acceptablesecurity, the proximity-based security mechanism should not be able totrigger the interface switch from greater distances, since thiscapability would allow a nefarious individual to trigger the interfaceswitch from a position outside the view of the subject or user.

A proximity-based security mechanism according to some aspects is adedicated hardware-based device, a dedicated software-based device, adedicated firmware-based device, or a combination of these. For example,a dedicated software-based device may be a device with an appropriatesignaling transducer and a processing device in the form of amicrocontroller or digital signal processor. In such a case on-boardmemory, either separate from or built-in to the processing deviceincludes non-transitory computer program code instructions to cause theprocessing device to interact with the security interface in or on thesubject. The proximity-based security mechanism according to otheraspects may be implemented in a general-purpose computing device such asa smartphone, personal computer, or tablet computer. In such a case, theproximity-based security mechanism is implemented by an application (an“app”), which can be installed on the general-purpose computing device.FIG. 2 illustrates a system in which a general-purpose computing deviceis used to implement the proximity-based security mechanism according tosome aspects.

System 200 of FIG. 2 implements proximity-based security for animplantable medical device according to some aspects. System 200includes some of the same or similar components illustrated as part ofsystem 100 as indicated by the use of like reference numbers, however,some other components are configured for use with a general-purposecomputing device as the proximity-based security mechanism. System 200includes implantable medical device 102 that receives programminginstructions through programming interface 104. Implantable medicaldevice 102 is implanted in a subject having flesh boundary 106. System100 also includes an interface switch 208. Interface switch 208 controlsaccess to implantable medical device 102 by enabling and disablingprogramming interface 104. In some aspects, interface switch 208 enablesor disables programming interface 104 by interrupting the programminginterface's connection to a first transducer 110 as before. A securityinterface 212 is communicatively coupled to implantable medical device102 through the interface switch 208.

In the example of system 200 of FIG. 2, security interface 212 isoperable to detect activation signal 214 received through flesh boundary106 from a proximity-based security mechanism implemented by a mobilecomputing device 216, a smartphone that will be discussed in more detailbelow with respect to FIG. 4. Security interface 212 receives activationsignal 214 using second transducer 218. Activation signal 214 can be anacoustic signal or optical signal as previously discussed, in eithercase generated by the smartphone hardware under control of anappropriate app. A combination of acoustic and optical signals can alsobe used. If the appropriate activation signal is received, securityinterface 212 closes interface switch 108 to allow programminginstructions to reach programming interface 104. In this example, theseinstructions are again carried by signal 120 that is communicated bycommunication interface device 122, which provides programminginstructions for medical device functions. The instructions can becarried by signal 120 as received using transducer 110.

FIG. 3 illustrates a portion of system 300, namely, the securityinterface and signaling components. It should be understood that theimplantable medical device and other previously discussed components maybe included in such a system, but have been omitted from FIG. 3 forclarity of illustration. System 300 includes a security interface 312that is configured to receive two or more signals from two or moreproximity-based security mechanisms. Activation signal 314 istransmitted by proximity-based security mechanism 316 to first locationtransducer 318. Activation signal 315 is transmitted fromproximity-based security mechanism 317 to second location transducer319. In some aspects, two different signal types can be used. Forexample, both a magnetic signal and an optical signal could be used toenhance the security of the system. The two proximity-based securitymechanisms can be implemented in a unitary device. Alternatively, as insystem 300 illustrated in FIG. 3, two signals of the same or differenttype are applied in proximity to two different places on the body of thesubject or near different parts of flesh boundary 106, such as locationA and location B. Thus, instead of a single activation signal, two ormore spatially diverse activation signals are used.

The signals described above with respect to system 300 of FIG. 3 may anysignal types and be coded in any of the ways previously discussed for agiven signal type. For example, both magnetic signal and an opticalsignal can be required for activation of the interface switch. Otherforms the two activation signals can take include multiple frequenciesof light or sound, or a time-based variation, such as two differentpredetermined patterns for a flashing light, a pulsing magnetic field,or both. The system could also require that different conditions aresensed at the same time, such as one transducer sensing light, the otherno light, or both receiving a time-coded signal, but not synchronized.In such implementations, an attempt to activate the programminginterface for the implanted medical device from a distance would failbecause the signaling could not meet the required activation conditions.A user can use a mobile computing device app to generate simultaneouslight pulses and tone sequences. Since the system still requires closeproximity with these bi-modal signaling implementations, the signalingspecifics don't necessarily need to be kept completely secret, but couldbe provided to and kept on-hand by first responders and medicalpersonnel.

FIG. 4 is a block diagram depicting a computing device for implementinga proximity-based security mechanism for an implantable medical deviceaccording to some aspects. Referring now to FIG. 4, the exemplary mobilecomputing device 216 from FIG. 2 will be described detail. The mobiledevice of FIG. 4 includes a high power (hi power) radio subsystems block401, a baseband logic block 402, a main processor and control logicblock (“main logic”) 403, and an audio interface block 404. A subscriberidentity module (SIM) 408 is shown as operatively connected to the mainprocessor and control logic. Also included is flash memory 409, abattery 410, and random access memory (RAM) 411. The RAM 411 may in someaspects include various devices and possibly memory dedicated tospecific purposes such as graphics. A portion of RAM 411 may be used tostore the data currently being viewed on the display of the mobiledevice. The display (not shown) is part of tactile and visualinput/output (I/0) block 412. Within the high power radio subsystemsblock 401, the transmit and receive information is converted to and fromthe radio frequencies (RF) of the various carrier types, and filteringusing baseband or intermediate frequency circuitry is applied. Radiosubsystems for more local communication such as for Wi-Fi are includedin this block. The device's main antenna system 413 is communicativelycoupled to the radio subsystems block 401. The device also includes aWi-Fi antenna 414. In the baseband logic block 402, basic signalprocessing occurs, e.g., synchronization, channel coding, decoding andburst formatting.

Still referring to FIG. 4, the audio interface block 404 handles voiceas well as analog-to-digital (A/D) and D/A processing. It also producesoutput through speaker 416. The output may include acoustic signaling toimplement the proximity-based security mechanism using audible orultrasonic tones as previously discussed. Similarly, the tactile andvisual input/output (I/0) block 412 can produce output through lamp 417such as light flashes to implement the proximity-based securitymechanism using optical signaling as previously discussed. The mainlogic 403 coordinates the aforementioned blocks and also plays animportant role in controlling the interface components such as a screenand touch interface or keyboard. The functions of the aforementionedblocks are directed and controlled by a processing device or processingdevices included in the main logic, such as general-purposemicroprocessors, digital signal processors (DSPs), application specificintegrated circuits (ASICs), various types of signal conditioningcircuitry, including analog-to-digital converters, digital-to-analogconverters, input/output buffers, etc. The mobile device, in someaspects, communicates with external devices via a bi-directional,short-range near-field communication (NFC) interface 440. In addition tothe previous examples, the activation signal directed to the securityinterface of the implantable device can be an electromagnetic signal 445following NFC protocol, since NFC operates only when devices are inclose proximity. A frequency of about 13.56 MHz is used for at leastsome standard, near field communication. However, other frequencies canbe used as long as the frequency is known.

The flash memory 409 shown in FIG. 4 includes at least one array ofnon-volatile memory cells. RAM 411 includes at least one array ofdynamic random access memory (DRAM) cells. The content of the flashmemory may be pre-programmed and write protected thereafter, whereas thecontent of other portions of the RAM may be selectively modified and/orerased. The flash memory therefore, is non-transitory computer-readablemedium that is used to store operating system software and applicationprograms (apps), including an app 450, which includes instructionsexecutable by computing device 216 to carry out the proximity-basedsecurity mechanism function described herein. RAM may be used to store,temporarily, code or frequency values to be applied to an activationsignal, credentials or other data. The computing device of FIG. 4 mayalso be used to send programming instructions (commands or updates) toan implantable medical device. In some examples, these would be relayedor generated through an Internet server and ultimately transmitted tothe implantable medical device through the communication interfacedevice 122 for medical device functions.

Any computing device that is used as or implements a proximity-basedsecurity mechanism as described herein may contain many of the sameelements discussed above with respect to FIG. 4. As an example, adedicated device includes a main processor device, control, and powerlogic, RAM, flash memory, a battery, and the audio and visual I/O. Theprocessing device can execute one or more operations for transmitting,receiving, and decoding signals. The processing device can executeinstructions stored in a non-transitory memory device to perform theoperations. The processing device can include one processing device ormultiple processing devices. Non-limiting examples of a processingdevice include a field-programmable gate array (“FPGA”), anapplication-specific integrated circuit (“ASIC”), a microprocessingdevice, etc.

A memory device storing computer program instructions executable by theprocessing device can include any type of memory device that retainsstored information when powered off. A computer-readable medium caninclude electronic, optical, magnetic, or other storage devices capableof providing the processing device with computer-readable instructionsor other program code. Such a medium may store the instructions on aserver prior to installation in or programming of a proximity-basedsecurity mechanism. Non-limiting examples of a computer-readable mediuminclude (but are not limited to) magnetic disk(s), memory chip(s),read-only memory (ROM), random-access memory (“RAM”), an ASIC, aconfigured processing device, optical storage, or any other medium fromwhich a computer processing device can read instructions.

FIG. 5 depicts a flowchart illustrating a process for providingproximity-based security for an implantable medical device according tosome aspects. Process 500 of FIG. 5 will be described with reference tothe system diagram of FIG. 1. At block 502, proximity-based securitymechanism 116 in close proximity to the subject receives input from auser indicating that the user wishes to activate the programminginterface for implantable medical device 102. At block 504, implantedsecurity interface 112 detects the activation signal or signals from theproximity-based security mechanism at or near the implantable medicaldevice. At block 506, if the activation signal is coded, implantedsecurity interface 112 decodes the activation signal, authenticates thesignal, and optionally returns a confirmation signal. This confirmationsignal, if used, would typically be received back through the networkvia the communication interface device 122. At block 508, implantedsecurity interface 112 activates programming interface switch 108 forimplantable medical device 102 in response to the activation signal. Atblock 510, implantable medical device 102 receives programminginstructions through programming interface 104. When programming iscomplete, programming interface switch 108 is deactivated, for example,based on time, a deactivation signal, or the continued absence of anactivation signal at block 512.

FIG. 6 depicts a flowchart showing the operation of a computing deviceimplementing a proximity-based security mechanism for an implantablemedical device according to some aspects. Process 600 will be describedwith respect to the computing device of FIG. 4. At block 602, main logic403 receives user input indicating a desire to activate theproximity-based security application or function in the device in orderto authenticating access to the programming interface of the implantablemedical device while in close proximity to the subject. Main logic 403receives the input through tactile and visual I/0 412. At block 604,main logic 403 accesses a unique identifier for the implantable medicaldevice. This identifier may be accessed by receiving additional userinput, or maybe retrieved from flash memory 409. The identifier is usedto code the authentication signal for the implantable medical device. Atblock 606, computing device 216 transmits acoustic, optical, or combineauthentication signal configured to activate the programming interfacein the implantable medical device. This activation signal includes pulsefrequency coding as needed. At block 608, a confirmation signal isoptionally received by computing device 216. This confirmation signalwould typically be received back through the network via thecommunication interface device 122 and the Wi-Fi or cellular interfaceof computing device 216, though a system could be designed to sendconfirmation signals back through the NFC interface 440. At block 610,programming instructions are optionally sent through the programminginterface of the implantable medical device. The programminginstructions may be received through user input and temporarily storedin RAM 411, may be retrieved from a server, or may be retrieved fromflash memory 409.

Unless specifically stated otherwise, throughout this specificationterms such as “processing,” “computing,” or the like refer to actions orprocesses of a computing device, such as one or more computers or asimilar electronic computing device or devices, that manipulate ortransform data represented as physical electronic or magnetic quantitieswithin memories, registers, or other information storage devices,transmission devices, or display devices of the computing platform.

The system or systems discussed herein are not limited to any particularhardware architecture or configuration. A computing device can includeany suitable arrangement of components that provides a resultconditioned on one or more inputs. Suitable computing devices includemultipurpose microprocessor-based computing systems accessing storedsoftware that programs or configures the computing system from ageneral-purpose computing apparatus to a specialized computing apparatusimplementing one or more aspects of the present subject matter. Anysuitable programming, scripting, or other type of language orcombinations of languages may be used to implement the teachingscontained herein in software to be used in programming or configuring acomputing device.

Aspects of the methods disclosed herein may be performed in theoperation of such computing devices. The order of the blocks presentedin the examples above can be varied—for example, blocks can bere-ordered, combined, or broken into sub-blocks. Certain blocks orprocesses can be performed in parallel.

The foregoing description of the examples, including illustratedexamples, of the subject matter has been presented only for the purposeof illustration and description and is not intended to be exhaustive orto limit the subject matter to the precise forms disclosed. Numerousmodifications, adaptations, and uses thereof will be apparent to thoseskilled in the art without departing from the scope of this subjectmatter. The illustrative examples described above are given to introducethe reader to the general subject matter discussed here and are notintended to limit the scope of the disclosed concepts.

1. A system comprising: an implantable medical device including aprogramming interface to receive programming instructions in vivo in asubject to control operations of the implantable medical device; and asecurity interface coupled to the implantable medical device in vivo toprevent access to the programming interface except in response toreceiving a coded activation signal produced ex vivo in proximity to thesubject to allow the programming interface to receive the programminginstructions.
 2. The system of claim 1 wherein the coded activationsignal comprises an ultrasonic or audible acoustic signal including acoded tone.
 3. The system of claim 1 wherein the coded activation signalcomprises a magnetic field that includes at least one of a pulsefrequency or predetermined pattern.
 4. The system of claim 1 wherein thecoded activation signal comprises an optical signal that includeswavelengths of light that are transmitted easily through skin and anon-off coding scheme.
 5. The system of claim 1 wherein the codedactivation signal comprises a plurality of spatially diverse signals. 6.The system of claim 1 further comprising a proximity-based securitymechanism to generate the coded activation signal in close proximity tothe subject.
 7. The system of claim 6 further comprising: an interfaceswitch communicatively coupled to the programming interface; a firsttransducer communicatively coupled to the interface switch to receivethe programming instructions; and a second transducer communicativelycoupled to the security interface to receive the coded activation signalfrom the proximity-based security mechanism.
 8. A method comprising:detecting, at or near a medical device implanted in a subject, a codedactivation signal produced in close proximity to the subject; activatinga programming interface for the medical device in response to the codedactivation signal; and receiving programming instructions over theprogramming interface while the programming interface is activated. 9.The method of claim 8 wherein the coded activation signal comprises apulsed magnetic field.
 10. The method of claim 9 wherein the pulsedmagnetic field comprises at least one of a pulse frequency orpredetermined pattern that is specifically assigned to the implantablemedical device.
 11. The method of claim 8 wherein the coded activationsignal comprises an optical signal that includes wavelengths of lightthat are transmitted easily through skin and an on-off coding scheme.12. The method of claim 8 wherein the coded activation signal comprisesan ultrasonic or audible acoustic signal including a coded tone.
 13. Themethod of claim 11 wherein the coded activation signal comprises aplurality of spatially diverse signals.
 14. The method of claim 8wherein the coded activation signal comprises at least one of a carrierfrequency or a pulse frequency specifically assigned to the medicaldevice.
 15. A non-transitory computer-readable medium that includesinstructions that are executable by a computing device for causing thecomputing device to perform operations for activating a programminginterface of a medical device implanted in a subject, the operationscomprising: receiving input from a user directed to authenticatingaccess to the programming interface of the medical device; andtransmitting an authentication signal comprising at least one of anacoustic signal or an optical signal configured to activate theprograming interface when the computing device is in close proximity tothe subject.
 16. The non-transitory computer-readable medium of claim 15wherein the operations further comprise: accessing an identifier for themedical device; and coding the authentication signal in accordance withthe identifier for the medical device.
 17. The non-transitorycomputer-readable medium of claim 16 wherein the authentication signalcomprises pulse coding.
 18. The non-transitory computer-readable mediumof claim 16 wherein the authentication signal comprises frequencycoding.
 19. The non-transitory computer-readable medium of claim 15wherein the authentication signal comprises an acoustic signal and anoptical signal.
 20. The non-transitory computer-readable medium of claim15 wherein the operations further comprise sending programminginstructions to the programming interface of the medical device.